[Rspamd-Users] Phishing email mark as legit with very low score

David Mehler dave.mehler at gmail.com
Mon Jul 29 15:39:53 UTC 2019


Hi,

How did you add that message to bayes_spam?

On 7/29/19, Gabriele Nencioni <gabriele.nencioni at register.it> wrote:
> Hi all,
> I have an issue with a phishing email, with a malicious url points to
> garalmiase.xyz:
>
> <a
> href=3D"https://garalmiase.xyz/ERTY6RUYAERYHTUHTE/ETSHTRHTESDYWRTG6TYGJH=
> ETHBNRYTH/SETYHAYH6TUH56356I687UH/AE56YWS357Y6U5HY6UY35YYH66B4TU/SE45Y43YH6=
> TUJHT5ERYWS54HTY3564TY35/54EY45WRTUJ5ERYH65UYH56UYH6/6RWYHT5UH6R5RYY54WERTJ=
> EH/WS5YHT46TYH54TUH6T4RUHY5YW56/W56TEYW54TYH46ERTH54YH54TUHY65/4W5YTRYW54EY=
> THRYE5Y54TH46/W54EYTG54WERYWGW4E6YTHG54TH64/mailbox/W54Y54ERHGB4E54DYG54WYG=
> /userarchive/redo.php?email=3Dan-our-mailbox at dada.eu">dada.eu</a>
>
>
> detected as legit by rpsamd with imho a very low score as you can see
> from the rspamd headers:
>
> X-Spamd-Result: default: False [4.50 / 10.00];
> 	 ARC_NA(0.00)[];
> 	 RCVD_VIA_SMTP_AUTH(0.00)[];
> 	 DMARC_POLICY_SOFTFAIL(0.10)
> 	 CSI_POOR_REPUTATION_SENDER(2.00)
> 	 FROM_HAS_DN(0.00)[];
> 	 TO_MATCH_ENVRCPT_ALL(0.00)[];
> 	 COUNTRY_US(0.20)
> 	 PREVIOUSLY_DELIVERED(0.00)
> 	 TO_DN_NONE(0.00)[];
> 	 R_SPF_SOFTFAIL(0.00)[~all];
> 	 RCPT_COUNT_ONE(0.00)[1];
> 	 MIME_HTML_ONLY(0.20)[];
> 	 SUBJECT_ENDS_EXCLAIM(0.00)[];
> 	 FROM_EQ_ENVFROM(0.00)[];
> 	 R_DKIM_NA(0.00)[];
> 	 RCVD_TLS_LAST(0.00)[];
> 	 ASN(0.00)[asn:14061, ipnet:167.99.144.0/20, country:US];
> 	 MID_RHS_MATCH_FROM(0.00)[];
> 	 HTTP_TO_HTTPS(2.00)[];
>
>
>
> A low number of symbols have been triggered, I expected at least
> something like "Symbol: PHISHING [dada.eu->garalmiase.xyz]" but it
> didn't happen.
>
> Which could be the reason why?
>
> I have just added that message to BAYES_SPAM, in order to increase the
> score of 5.1 points, anyway are there any other actions to do in order
> to reject these kind of messages and mark them as spam?
>
>
> Thanks in advance.
> Regards,
> --
> Gabriele Nencioni
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>


More information about the Users mailing list